FFIEC Releases Two Statements on Cybersecurity

On 30 Mar, 2015 By BankOnIT

Regulators are continuing to emphasize that bank CEOs and directors must understand the risks
they are undertaking with regard to cyber security, the same as understanding credit, liquidity and
other risks inherent in banking.

The FFIEC released two statements on March 30 outlining detailed steps that banks should use to
guard against and to recover from cyber attacks. These FFIEC releases, entitled “Destructive Malware” and “Cyber Attacks Compromising Credentials,” emphasize requirements that are already contained in the FFIEC Information Technology Examination Handbook. The FFIEC is highlighting these specific regulatory expectations because some banks are either not aware of or are just not satisfying what is required. Banks should carefully study these directives, and take appropriate action to comply.

Being adequately protected against a cyber attack is not optional, but many banks lack the
capability internally to meet the FFIEC’s expectations in this area. When a bank cannot effectively
provide on its own what the regulators require, it’s appropriate to and a competent vendor with that
capability.

Some bankers want information security to be a once-and-done event: “We adopted a policy. We
set up a committee. We bought new computers. Our I.T. person comes in to fix things. So we should
be good.” Actually, that’s only the beginning.

A bank and its third-party vendors must continue to adjust many procedures and systems in order
to maintain good information security. New cyber threats and new security vulnerabilities are
constantly appearing, even after good technology has been implemented.

It’s not much of an exaggeration to consider cybersecurity as being a “war” with many unknown
enemies, who attack at unexpected times and from every possible direction, constantly trying new
tactics. To fight these threats, a bank must be ready and able to strengthen its defenses whenever
and wherever an enemy is likely to focus its attack.

With 24 hour staffing, around the clock live monitoring and over 100 technical, banking and legal
professionals on staff BankOnIT provides community banks the security, regulatory, reliability and
efficiency components that are needed to make I.T. easier for you, allowing you to focus on running
your bank.